Get the latest security news in your inbox.

Valentine’s Day; that ever-venerated holiday celebrating human love. On a day festooned with pink hearts, mushy card exchanges, chalky candies and proclamations of undying love both for lovers and classmates alike, one thing most people try to avoid is thinking about their history of romance with people who are no longer in their life. The only problem is that occasionally, those exes don’t necessarily stop thinking about their exes.

Occasionally, abusive exes become a problem and when they do, it helps to take some appropriate steps to protect yourself immediately after a breakup to prevent them from using Open Source INTelligence (OSINT) to spy on you, or otherwise make your life difficult.

Strategy

When deciding how best to avoid OSINT that can be used to harass you in the future, it can help to break up the recorded details of your life into two broad categories; things you can hide/change, and things you can’t/or are difficult to hide or change. For the sake of this post, we will only be dealing with things that we have easy, online or physical control over. As always, it’s best to consult your threat models and apply reasonable measures to avoid whatever threats your particular ex may pose to you.

Scrubbing public profiles is the first, easiest way to ensure that you aren’t sabotaging your own effort to avoid contact. Some simple steps you can take to increase your OPSEC include:

Change all of your account passwords ASAP — If your instincts label someone as dangerous enough to alter publicly available information about yourself, it’s likely that their behavior follows a pattern that existed while you were together with them. Assuming close and personal contact with someone often means that you make exceptions to your threat models that allow them into close personal contact with both you and your devices. Never underestimate the lengths an untrustworthy ex-boyfriend or girlfriend will go to in order to snoop on you, so it’s best at minimum to ensure your passwords are in a controlled state. While you’re doing this, be sure to sign out of all other points of access for any given service.

Revoke private keys and generate new key pairs— Physical access to electronic assets lends itself to theft of sensitive information that you may be holding to protect your communications, such as PGP keys. If you suspect that your keys may have been compromised, it never hurts to revoke and regenerate keys just to be safe. On the subject of keys, re-keying your door locks and changing garage door codes can be a good way of re-establishing your physical security, and reclaiming confidence that your environment is untouched while you’re gone.

Secure crypto-coin wallets— Along with PGP keys, coin wallets are another source of electronic information, meant to be kept private that can easily be compromised by someone who knows what they want, knows where to find it, and has implicit access to the location they are kept. With ever increasing links between electronic and financial security, if one is compromised the other may be as well.

Consider fresh installs of your operating systems and factory-resets of your phone— This may seem a little extreme, but especially good idea if your devices were ever left alone with your formerly-beloved for any amount of time long enough to exploit. A back doored phone or notebook would be a prime, continuing source of love-INT and in this post-FlexiSpy world, where commodity spyware is more accessible than ever to abusive current and ex-partners lowering the bar for device compromise.

Turn off location services access to social media posts — This may seem like a cliché tip, too easy to forget, but that’s exactly what makes this one so dangerous. While posting your current location can obviously be used to find you where you are right now it can also be used to establish a pattern of life that reduces your safety if you’re being targeted by someone intent on finding you. Also, avoid using mobile games that publish your geolocation on a fixed point on a map (like Ingress or Pokemon Go). Assume your pursuer knows your usernames and can use them to locate you.

Review privacy settings for all accounts — In fact, just go ahead and double-check the privacy settings on all of your accounts while you’re turning off location services. This may also be a good time to review the friends you have on your lists who may be able to see new details after privacy settings have been restricted and make sure you don’t have anyone you don’t trust on those lists who may be willing to leak information to someone who may be hostile to you.

Sanitize public information on people-finder sites— After a bad breakup is not the ideal time to learn that there are sites that cache and expose personal information such as address, telephone numbers and family members. Sites like Spokeo, and Pipl maintain policies that allow you to opt-out of their service if you send a request for your information to be removed, but others stubbornly (and unethically) don’t respond to requests of this nature and may always be sources of reliable personal information on you.

Don’t spare the username-linked accounts!— Creating a username can be a pain, so when you’re finally able to find one it’s common to use that same username across a number of different sites. Make it a habit to keep in mind which sites may cache information about you related to your username, and sanitize information that may be exposed related to that username, as well as any posts that may have information pointing to your current whereabouts & status.

Consider making entirely new accounts— This can be very disruptive, so it’s understandable to not want to use this as a first solution but if your situation warrants it, a fresh start can give you a new lease on OPSEC. Judging whether this is an appropriate solution for you or not can be difficult though, especially if you don’t know exactly how aggressive your ex can really be. In any event, if you decide that a hard reboot on your public profile is necessary, consider using as much novel and/or anonymized information as you can and limit how much you publish about yourself.

Conclusion

Being pursued by a dedicated assailant is hard to put up with, especially for a long period of time. Taking measures to frustrate efforts to use publicly available sources of information to stalk or harass you can be anywhere between trivial and burdensome, but no social media price is too high to ensure your safety and security.

About the Author:Emily CroseEmily Crose is a security researcher and professional with over 10 years of experience including a total of 7 between being an officer for the Central Intelligence Agency and the National Security Agency.She is currently directing the Nemesis project in her free time and currently works for a DC startup.
Read more posts from Emily Crose ›